OWASP Lists Top 10 Most Critical Web Application Risks

The Open Web Application Security Project cited injection flaws as the top risk facing software developers today in the recent version of its annual list of security threats.

The findings are based on data from eight firms that specialize in application security, and span more than 500,000 vulnerabilities across hundreds of organizations and thousands of applications, according to OWASP.

Rounding out the top three are broken authentication and session management and cross-site scripting, with broken authentication and session management moving up a slot from the previous list. Injection flaws such as SQL injection and Lightweight Directory Access Protocol (LDAP) injection remain at the top of the heap.

"Injection flaws occur when an application sends untrusted data to an interpreter," OWASP explained in the report. "Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc.

"The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query," the report continues. "For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries."

The top three categories are issues that have been known about for more than a decade, noted Chris Eng, vice president of research at Veracode.

"Unfortunately," he told eWEEK, "these vulnerabilities are so prevalent—in part due to years of lax security practices—that it is difficult to identify and fix them using ad-hoc manual security testing, which is still a common practice. Consider that the average large enterprise has 600 business critical apps, and according to our data, 32 percent of them have at least one SQL injection vulnerability and 67 percent have at least one cross-site scripting vulnerability. That is a lot of code and a lot of vulnerabilities."

Further complicating the rooting out of vulnerable applications is that the vast majority of apps in use are not frequently or easily reviewed and updated to correct security flaws—in part because many of them are older apps that are not on a frequent update schedule, opined Scott Parcel, CTO of Cenzic.

"It tends to be only the more high-profile applications that are regularly updated," he said, adding that organizations should make sure all of their production applications are regularly monitored for security flaws.

Besides the top three categories, the other vulnerabilities—in descending in order of risk—are insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using known vulnerable components, and unvalidated redirects and forwards.

"The list hasn’t changed significantly since 2010, though some items have been combined or shifted in importance," Eng said. "The newest category, A9 ('Using Known Vulnerable Components') is an important addition to the list because it acknowledges and highlights the fact that software vulnerabilities are introduced not just by a developer’s own code but by the libraries and other components they choose to integrate. If you’re only focused on testing and fixing your own code, you're ignoring a huge part of the attack surface."